An unprotected database with personal information of more than 275 million Indians has been hijacked by hackers, who may have stolen all or some of the data, reports Bob Diachenko, a security consultant and journalist at Diachenko said he found the unsecured and publicly indexed MongoDB database on May 1 and informed India’s Computer Emergency Response Team (CERT) at once.

However, the database was not secured, and on May 8 it was hacked by the Unistellar group, which wiped all the data. Diachenko said the records included people’s names, email, gender, date of birth, mobile phone number, current salary, employment history and current employer, education level and area of specialisation, and professional skills and functional area. He wrote that while the number of records stolen could be fewer that the total number exposed “it is still one of the biggest breaches reported in the region”. He said the database did not indicate who owned it but its structure hinted that it had been collected as part of a massive scraping operation. It was hosted on Amazon Web Services (AWS) infrastructure, and a reverse DNS lookup showed no results.

AmEx India’s database exposed for 5 days last October

Last October, Diachenko found that an unprotected MongoDB database with millions of records that belonged to American Express India had been accessible to anyone for more than five days. The database contained customers’ names, phone numbers, addresses, PAN numbers and Aadhaar IDs. He said that most of the data was encrypted but several collections were not. The largest non-encrypted collection of data had 689,272 records, including customers’ phone numbers, names, email addresses, and the type of card they owned. Another 2.3 million records were encrypted. Diachenko said that many of the entries had fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’, which led him to suspect that the database was not managed by AmEx itself but by a subcontractor handling SEO or lead generation. He said AmEx secured the database soon after he informed them about it. The company told him there had been no authorised access and no customer data had been affected.